Angry Magpie - DLP Bypass Simulator

Presented at DEF CON 33 (2025), Aug. 8, 2025, 3 p.m. (45 minutes).

Angry Magpie is an open-source toolkit that demonstrates critical bypasses in enterprise Data Loss Prevention (DLP) systems through browser-based techniques. Our research identifies a class of attacks — Data Splicing — that enable exfiltration of sensitive data by transforming it to evade detection patterns used by both proxy and endpoint DLP solutions. The toolkit showcases four primary techniques: data sharding, ciphering, transcoding, and channel smuggling, each demonstrating specific architectural limitations in current DLP implementations. Security teams can use Angry Magpie to test their defense mechanisms against these practical attacks, providing valuable insights for enhancing data protection strategies. With browsers now serving as the primary access point for enterprise data, understanding and addressing these vulnerabilities has become essential for maintaining effective data security posture. Special thanks to Pankaj Sharma from the SquareX research team for his contributions to Angry Magpie toolkit.

Presenters:

• Jeswin Mathai
  Jeswin leads the design and implementation of SquareX’s infrastructure. Previously, he was part of Pentester Academy (acquired by INE) where he was responsible for managing the whole lab platform that was used by thousands of customers. A seasoned speaker and researcher, Jeswin has showcased his work at prestigious international stages such as DEF CON US, DEF CON China, RootCon, Black Hat Arsenal, and Demo Labs at DEF CON. He has also imparted his knowledge globally, training in-class sessions at Black Hat US, Asia, HITB, RootCon, and OWASP NZ Day. Jeswin is also the creator of popular open-source projects such as AWSGoat, AzureGoat, and PAToolkit.
• Xian Xiang Chang
  Xian is a software engineer at SquareX, contributing to the industry's first browser detection and response solution. With deep technical expertise in browser security, he architected DetectiveSQ, a containerized system for dynamically analyzing Chrome extensions, earning recognition at Black Hat Asia Arsenal and exemplifying his ability to transform complex security challenges into practical defensive tools.

Similar Presentations:

• Black Hat Asia 2016 / The Kitchen's Finally Burned Down: DLP Security Bakeoff
• Summercon 2015 / Back to the Kitchen: DLP Security Bakeoff, THE SEQUEL
• Black Hat USA 2014 / Stay Out of the Kitchen: A DLP Security Bake-Off